langgraph
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The example calculator tool implementation uses the
eval()function to process theexpressioninput, allowing string-based command execution. - [REMOTE_CODE_EXECUTION]: The use of
eval()on unvalidated inputs enables arbitrary Python code execution, which could be triggered by an attacker manipulating the agent's output. - [PROMPT_INJECTION]: The skill architecture is vulnerable to indirect prompt injection. Ingestion points: The agent processes messages from
state["messages"]which includes untrusted user input (SKILL.md). Boundary markers: There are no explicit delimiters or system instructions to ignore instructions embedded within the provided data. Capability inventory: The skill defines a tool that executes code viaeval()(SKILL.md). Sanitization: No sanitization or validation logic is provided to ensure the safety of the string passed to the execution function.
Audit Metadata